MIS 7003 MIS Core Course The MBA Program The University of Tulsa Professor: Akhilesh Bajaj Security: Personal & Business © Akhilesh Bajaj 2004,2005, 2007, All Rights Reserved.

Personal Security -Guard against Phishing scams -Guard against keyboard logging software on public machines -Guard against sending and password addresses on open wireless networks. -Zombies are machines that have already been compromised -Run a firewall on your home computer Firewalls: -Use spyware protection software like spybot. -If possible use an operating system like Linux, that, when setup, is impervious to viruses.

Ethics from a Business Perspective Proportionality: Good should outweigh bad, and least bad should be used to accomplish the good. Informed Consent: Always get users/employees to be informed and to accept the risks Justice: Those who profit the most should bear the most risk Minimize risk: Similar to proportionality. -These are useful as a check list to ensure any new technology used by employees or customers or suppliers is ethical and defensible. -These can also be used to justify a policy of snooping on employees that is ethical and defensible. How can it be used to do that?

Security from a Business Perspective Threat: Changing employees, and securing data What kind of data? Customer lists, company statistics, internal memos -make employees sign really strong NDAs TCP/IP: Inherently hardened against network failure What is most important to a company? h/w, s/w, or data? Sources of problems with company data: -Failure of components (disk drives, optical disks) -Bugs in application software -Bugs in OS software -Attacks by malicious parties Adding redundancy increases complexity. E.g., Mirroring of data, mirroring of websites.

Checklist of Components of high availability: Uninterruptible Electric Supply Dual power inputs, UPS, access 2 power grids, diesel generators, battery less flywheel technologies on UPS (crank wheels) Physical Security Guards, CC TV, buffer zones, buildings hardened, single person (hostage proof buffers) biometric access, motion sensors Movie: Sneakers, 1992 Fire suppression, gas sealing

Availability Checklist Components of high availability (contd.): Network Access Two backbone providers, redundant connections, redundant network centers, private networks instead of the public internet Help Desk Manned 24X7, Automated backup procedures, disaster recovery plans. Why can’t we make servers redundant? What about the application servers? Log files need to be transferred. What about the database server? The database files need to be replicated.

Classification of Threats External Attacks: -Denial of Service (DOS): Distributed DOS, degradation of service Intrusions: -Social Engineering (Sneakers movie) -sniffing network traffic that is unencrypted -password cracking software -operating system hacks Viruses & worms -Because of operating system problems

Managing Security Security Policies: password content, frequency of change, access to databases, access to applications, what can users download?, central identity servers? password or token? Encryption: network data should be encrypted. Use https for all application access. Files can be encrypted on disk as well. Public Key versus Private key encryption Keeping track of patches and changes in the versions of code are part of security policies. Intrusion Detection: The Cuckoo’s Egg (recommended reading) by Clifford Stoll